Download - NT Domain Restructuring and Exchange Resource Forests

NT Domain Restructuring NT Domain Restructuring and and

Exchange Resource ForestsExchange Resource Forests

Presented By; John DaughertyPresented By; John DaughertyAugust 3, 2005August 3, 2005

NT Domain Restructuring NT Domain Restructuring and Exchange Resource Forests and Exchange Resource Forests

About the SpeakerAbout the Speaker

John DaughertyJohn DaughertySenior Consultant, PCMS Datafit – IT Advisor GroupSenior Consultant, PCMS Datafit – IT Advisor Group NT4, 2000, and 2003 MCSE / MCSA / CCANT4, 2000, and 2003 MCSE / MCSA / CCA12 Years in IT, dedicated to networking12 Years in IT, dedicated to networkingPerformed dozens of NT to AD migrations/restructuresPerformed dozens of NT to AD migrations/restructures

PCMS Datafit – IT Advisor GroupPCMS Datafit – IT Advisor GroupMicrosoft Central Region VAR Partner of the YearMicrosoft Central Region VAR Partner of the Year12 senior networking consultants12 senior networking consultantsMicrosoft infrastructure solutions – AD, SMS, MOM, SharePointMicrosoft infrastructure solutions – AD, SMS, MOM, SharePointCisco, Symantec, and Citrix PartnerCisco, Symantec, and Citrix PartnerMicrosoft Gold PartnerMicrosoft Gold Partner


TopicsTopics

Restructure versus UpgradeRestructure versus Upgrade

Why Restructure?Why Restructure?

10-Steps to Restructure, Resource Forest, and Relaxation10-Steps to Restructure, Resource Forest, and Relaxation

SummarySummary

Questions?Questions?


Restructure Versus UpgradeRestructure Versus Upgrade

Upgrade retains network structureUpgrade retains network structure

Upgrade retains domain nameUpgrade retains domain name

Upgraded domain members need little attentionUpgraded domain members need little attention


Upgrade Versus RestructureUpgrade Versus Restructure

Restructure is starting over from scratchRestructure is starting over from scratch

Restructure can mean combining multiple NT 4 Domains Restructure can mean combining multiple NT 4 Domains into single AD Domaininto single AD Domain

Restructure can mean moving a single NT 4 Domain into Restructure can mean moving a single NT 4 Domain into multiple AD Domainsmultiple AD Domains

Restructuring is typically more complex during migrationRestructuring is typically more complex during migration

Restructuring is typically less complex, once migratedRestructuring is typically less complex, once migrated


Why Restructure?Why Restructure?

Have too many Domains todayHave too many Domains today

Less administration in a single Domain/Forest vs. multiple Less administration in a single Domain/Forest vs. multiple

NT4 Domain has become unreliable NT4 Domain has become unreliable

Bolt-on acquisitions – already have AD Bolt-on acquisitions – already have AD

Already have AD and NT4 Domain for whatever reason Already have AD and NT4 Domain for whatever reason


10-Steps to Restructure, Resource Forest, and Relaxation10-Steps to Restructure, Resource Forest, and Relaxation

1. Plan, Plan, and …oh yeah… PLAN!

2. Create AD Forest Structure

3. Create Trust Relationships

4. Prepare for Restructure

5. Migrate Directory Objects

6. Migrate Workstations

7. Migrate Servers

8. Migrate Exchange

9. Administer Forests

10. RELAX!


Step 1 – Plan, Plan, and oh yeah… PLAN!Step 1 – Plan, Plan, and oh yeah… PLAN!

Plan migration steps – cookbook

Test each step of the plan

Use VMWARE or MS Virtual PC

Create new BDC’s in current NT4 Domain, move to lab, promote to PDC

Involve all parties in planning

Don’t forget home-grown apps


Where we are nowWhere we are now

NT4 Domain

Users

Servers

Groups

Workstations

TS Licensing

Exchange Org

NT4 Domain

Users

Servers

Groups

Workstations

TS Licensing

Exchange Org


Step 2 – Create AD Forest structureStep 2 – Create AD Forest structure

New or existing forest

Windows 2000 or 2003 domain native mode

Create OU structure

Create GPOs/migrate system policies (don’t forget Citrix)

Create name resolution and DHC



Create site structureCost = 1024/log(unused bandwidth in Kbps)

Monitor AD healthMicrosoft, Microsoft Operations Manager

Monitor WAN healthPacketeer, PacketSeekerSolarWinds, Orion

Test name resolution intra- and inter-forest



Implement Disaster RecoveryMicrosoft, NTBackupVeritas, Backup ExecQuest, Recovery Manager for AD

Implement Directory Provisioning and ManagementMicrosoft, AD Users and Computers (mmc)SystemTools, Hyena (mmc)Quest, Active Roles Server (web and mmc)

Implement change management



Create/copy login scriptsConsider GPOsLogin scripts subdirectories (multiple domains)

Create PKI

Don’t forget NTP

FSMO roles moved

Root placeholders a good thing?



NT4 Domain

Active Directory Domain

Users

Servers

Groups

Workstations

TS Licensing

Exchange Org

NT4 Domain

Users

Servers

Groups

Workstations

TS Licensing

Exchange Org


Step 3 – Create Trust RelationshipsStep 3 – Create Trust Relationships

Mirror trusts from Domain migratedMicrosoft, ADMTQuest, Domain Migration Wizard

Create two-way external trust between source and target

Add Domain Admin account from target to source Administrators Group

Verify trusts

Turn off SID Filtering


SID FilteringSID Filtering

Security hole in inter-forest trustsSecurity hole in inter-forest trusts

Can add Domain or Enterprise Admin sID to sIDHistoryCan add Domain or Enterprise Admin sID to sIDHistory

Impersonating an elevated userImpersonating an elevated user

Nothing you can do in a single forestNothing you can do in a single forest

Must have at least Windows 2000 SP4 on DCs to enableMust have at least Windows 2000 SP4 on DCs to enable

Cannot disable SID Filtering for new W2k SP4 and later trustsCannot disable SID Filtering for new W2k SP4 and later trusts

Disable using NETDOM.exe /quarantine:No for Pre W2k SP4Disable using NETDOM.exe /quarantine:No for Pre W2k SP4


sIDs, ACLs, and ACEssIDs, ACLs, and ACEs

NT4 Users and Groups = sIDNT4 Users and Groups = sID

sIDs attached as ACEs sIDs attached as ACEs

ACEs are entries in ACLs ACEs are entries in ACLs

reACLing – rewriting NT4 sID reACLing – rewriting NT4 sID to AD GUID to AD GUID

ACLs point to NT4 sID ACLs point to NT4 sID

Many programs do not use sIDs (SQL, SMS) Many programs do not use sIDs (SQL, SMS)


sIDHistorysIDHistory

Restructure means new SID for userRestructure means new SID for user Window 2000 Native Mode or above is MS-supportedWindow 2000 Native Mode or above is MS-supported

Allows migrated accounts access to resourcesAllows migrated accounts access to resources

Multi-valued - Security token can hold up to 1023 sIDSMulti-valued - Security token can hold up to 1023 sIDS

Some applications recognize sIDs, but not sIDHistorySome applications recognize sIDs, but not sIDHistory

Some applications recognize sIDHistory, but not multi-valued Some applications recognize sIDHistory, but not multi-valued sIDHistorysIDHistory

Some applications recognize multi-valued sIDHistory, but not past 5 or Some applications recognize multi-valued sIDHistory, but not past 5 or so valuesso values


Typical Uses of sIDHistoryTypical Uses of sIDHistory

Users migrated, but servers not reACLdUsers migrated, but servers not reACLd

Users migrated, but their workstation not migrated – allows Users migrated, but their workstation not migrated – allows user to continue to use their old profile with new user to continue to use their old profile with new permissions (Quest changeprofile)permissions (Quest changeprofile)

Some domains migrated, NT4 permissions on other Some domains migrated, NT4 permissions on other domainsdomains

Unknown applications set up in NT4 DomainUnknown applications set up in NT4 Domain



NT4 Domain


Users

Servers

Groups

Workstations

TS Licensing

Exchange Org

NT4 Domain

Users

Servers

Groups

Workstations

TS Licensing

Exchange Org


Step 4 – Prepare for RestructureStep 4 – Prepare for Restructure

Gather information about source and target directory objectsSystemTools, Hyena (small and single domain)Microsoft, ADMT (small – large and single domains)Quest, DMW (large and multiple domains)

Rename users and groups to not conflict with target users or groups, unless merging

Demote those BDC’sUTools, UPromoteQuest, DCDemote


Step 4 – Prepare for the RestructureStep 4 – Prepare for the Restructure

Fully back up source and target

Resolve Events

Delete unused accountsWatch out for VPN usersWatch out for service accounts

Delete expired accounts

Ignore computer objects? Perhaps


Step 4 – Prepare for the RestructureStep 4 – Prepare for the Restructure

Move or establish DNS to AD DNS servers for workstations and servers

One last sanity check


Step 5 – Migrate Directory ObjectsStep 5 – Migrate Directory Objects

Copies NT objects into AD

Issue a freeze on the source

Merge appropriate groups and users

Disable target users

Copy passwords from source to target

Migrate sIDHistory


Step 5 – Migrate Directory ObjectsStep 5 – Migrate Directory Objects

Migrate Groups first, given the choice

Pick the RID Master FSMO in target if over 500 usersMicrosoft, ADMT v3 will (http://beta.microsoft.com – admt3beta)Quest, DMW can

Move along quickly to allowing users to log inPassword copiesAdministrator changes

Don’t update user rights if you don’t have to!

http://beta.microsoft.com/

http://beta.microsoft.com/



NT4 Domain


Users

Servers

Groups

Workstations

TS Licensing

Exchange Org

NT4 Domain

Users

Servers

Groups

Workstations

TS Licensing

Exchange Org

Users

Groups


Step 6 – Migrate WorkstationsStep 6 – Migrate Workstations

Migration can continue through workstation attrition

Least resistance, complexity, and control

Trade time and complexity for cost

You will keep sIDHistory for quite some time

Assumes no workstation domain-credential services

Proven on dozens of domain restructures



Users now exist in source and target with same sID

Enable groups of users to log into their workstationLogin script runs:UPHCLEAN installedNetdom – moves workstation to new domainWorkstation rebootsQuest, Changeprofile moves user profile

or ADMT (TemplateScript.vbs)sIDHistory gives user access to all applications!

User has experienced only one reboot



Congratulations, your users are on the new domain!

Lastly, reACL workstations (can be done later)Microsoft, ADMTQuest, DMWMany other tools can do the job

Do not use “Add Mode” if using ADMT – GPO software deployment issues when users are targeted

*** This is one of many ways to migrate workstations ***



NT4 Domain


Users

Servers

Groups

TS Licensing

Exchange Org

Users

Groups

Workstations

NT4 Domain

Users

Servers

Groups

TS Licensing

Exchange Org


Step 7 – Migrate ServersStep 7 – Migrate Servers

Move servers to target domain using migration toolsVerify users are logging in with target account

Can use “Add Mode” until all domains are migrated, then reACL using “Replace Mode.” SIDHistory fine, too.

DHCP servers will need to be authorized

Don’t move Exchange – MS does not support 5.5 to 2003 upgrade

reACL servers last – not Exchange


Step 7 – Migrate ServersStep 7 – Migrate Servers

Move Terminal Server licenses for Windows 2000 or Windows 2003



NT4 Domain


Users Disabled

Users Copied/Enabled

Servers Moved

Groups Copied

Workstations Moved

TS Licensing Moved

Exchange Org

NT4 Domain

Users Disabled

Exchange Org


Step 8 – Migrate ExchangeStep 8 – Migrate Exchange

Clean up duplicate mailboxes (multiple orgs)

Clean up resource mailboxes (conference room)

Verify no two mailboxes are owned by same accountLDAP Queries using header.exe or VBscriptQuest, DMW

reACL Information Store, prepare Exchange Account for resource ownership

ADC, Set Attribute to NTDSNOMATCHQuest, EMW is automatic – with .dll



Implement Identity Management – We’ll talk about this in a minuteMicrosoft, MIIS – Complex, highly scalableCPS Systems, SimpleSync – Simple, highly scalable

Greenfield Approach (MS, Migration Wizard)– Choice 1Uses ADC - Creates disabled mail-enabled usersUses MS, Mailbox Migration Wizard to export mailboxMust use pfmigrateNo Inbox rules migratedNeed to remove Exchange 5.5 mailbox manuallyNo delegations copiedNo Calendar to/from migrated mailboxesCan’t reply to old messages from new serverCustom recipients need to be recreatedDL’s need to be recreated



Quest Approach – Choice 2Uses Quest, Exchange Migration WizardCreates, disables, delegates mailbox-enabled target usersUses agents to synchronize source and targetSynchronizes Public FoldersAll rules and permissions migrated5.5 mailbox decommissioned, not deletedCalendars available in source and target

Both Approaches set msExchMasterAccountSID LDAP Attribute(Associated External Account in ADUC)



Active Directory Forest

Mailbox-enabled Users Disabled

Users

Servers

Groups

Workstations

TS Licensing

Single Exchange Org

Exchange Forest

Mailbox Stores

Distribution Lists

Exchange Servers

Active Directory Forest

Users

Servers

Groups

Workstations

TS Licensing

Provisioning and Sync

Contacts


Step 9 – Administer ForestsStep 9 – Administer Forests

Identity Management ExplainedIdentity Management ExplainedSynchronization of identity informationSynchronization of identity informationProvisioning and de-provisioning of Exchange mailboxesProvisioning and de-provisioning of Exchange mailboxes

Provisioning and Sync

Account Forest A Account Forest BExchange Forest


Identity Management – Linking the objectsIdentity Management – Linking the objectsAccount Forest = ObjectsidAccount Forest = ObjectsidExchange Forest = msExchMasterAccountSIDExchange Forest = msExchMasterAccountSID

Account Forest A Account Forest B

Exchange Forest

Objectsid:S-1-5-21-1371433782-193510014-1850952788-512

msExchMasterAccountSID: S-1-5-21-1371433782-193510014-1850952788-512

Objectsid:S-1-5-21-75833927764-83762083-3772547389-512

msExchMasterAccountSID:S-1-5-21-75833927764-83762083-3772547389-512



You can change any attribute you want!You can change any attribute you want!

Account Forest A Exchange Forest

Objectsid:S-1-5-21-1371433782-193510014-1850952788-512

msExchMasterAccountSID: S-1-5-21-1371433782-193510014-1850952788-512

Link

sAMAccountName: DaughertyJ sAMAccountName: DaughertyJtelephoneNumber: 555-555-5555 telephoneNumber: 555-555-5555

givenname: John

sn: Daughertygivenname: John

sn: Daugherty

homedirectory: \\file1\home\daughertyj$ homedirectory:employeeID: 4664738829 employeeID:

mail: mail: [email protected]

proxyaddresses: [email protected], [email protected]

uid (alias): DaughertyJ

Objectsid:S-1-5-21-8859376610-393537811-18522527433-512




Identity Management – Updating the objects

Choose source and target objects in Identity Management app

Schedule Identity Management app to run

Changes from source copy to target

Based on LDAP attributes

Changes should be one-way – source to target

Changes in target shouldn’t map to source



Identity Management – Updating the objects

When msExchMasterAccountSID changes, link is broken

LOCK DOWN TARGET LDAP ATTRIBUTES

Administer via ADUC in source and ESM/ADUC in target

Copy sAMAccountName – easier to find objects in target

Groups should not be copied to target

Contacts should not be copied to target

Don’t copy Exchange attributes to target



Identity Management – Provisioning and de-ProvisioningWorks on a triggerOne size does not fit allDelay deletes in target when source accounts are deleted

Administration ToolsAccount / Mailbox ManagementMicrosoft, WebAdminMicrosoft, ADMTSystemTools, HyenaQuest, Active Roles Server


Step 10 - RelaxStep 10 - Relax

Tryout for Reality Television Game Show

Watch Emeril, Dazzle Loved Ones with Gourmet PB&J

Spend Time Contemplating Meaning of Life

Learn Japanese, Watch Jackie Chan Movies

Take up Running; Hyperventilate; Give up Running

Spend time with loved ones… at Argosy


SummarySummary

Many Reasons to Restructure

Plan, Plan, and … oh yeah… PLAN!

Create migration cookbook

Build AD Forests, then migrate – don’t build during migration

reACL Last

Migrate all Domains Before Exchange

Choose the Right Tools for the Task – Free isn’t Always Better


Recommended ReadingRecommended Reading

Domain Migration Cookbook

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp1.mspx

Microsoft Windows Server 2003 Unleashedhttp://www.samspublishing.com/title/0672321548

Deployment Options for Exchange 2003

http://wm.quest.com/Reg/Marketing/Promos/whitepapers/kmccory/welcome.asp

SimpleSync with Active Directory and Exchange 2000/2003http://cps-systems.com/simplesync/whitepapers/SimpleSync

%20with%20AD-Exchange%202000.pdf



http://www.samspublishing.com/title/0672321548




Questions?Questions?

[email protected]@ITAdvisorGroup.com

www.ITAdvisorGroup.comwww.ITAdvisorGroup.com